Moved from Software forum

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by timebuilder, Mar 23, 2010.

  1. timebuilder

    timebuilder Private E-2

    RE: Changes to browser response after Hyloti.Y removal by AVG.

    I have been told to post these things here in this forum.

    Let’s start with the problem.

    I have a Dimension 5150 running Xp Home Sp 3, with 2 gigs of ram. I bought it new on ebay in 2004. On the whole, it has been a good, not great machine. My previous machine had only a 7-hundred something speed processor, so when I bought this 3.0 mhz machine, I was expecting a HUGE increase in performance. To be honest, I found myself somewhat disappointed. My ISP is a Verizon 1.5 meg DSL line. Yes, it was better, but not up to the hype of the new family of processors.

    With the pleasantries over, here is the deal. A few weeks ago, I picked up a Hyloti.Y infection, which AVG told me about during a daily scan, and which I removed.

    Since that experience, I have had a curious problem, with both my DSL and using my Blackberry on a tether, and also using both IE and Firefox. After an initial bootup, I can open a browser and everything is great. If I am on a forum webpage, for example, and I click on a link to a post, the page will immediately start the loading process, and stop dead, right there, with perhaps one or two green squares on the progress bar at the bottom of the page. Sometimes a return to the post link and repeated clicking helps, sometimes just repeatedly refreshing the page helps. Sometimes, 99% of the page is loaded, but some things have still not loaded, and the progress bar shows all green squares. After a day or so of this, I knew I was in deep stuff.

    I started by googling a few phrases like “pages need refresh to load” and similar things. I found some info, such as how to scan and repair the dll files using the cmd prompt, and rebuilding the winsock catalog. I’m not an IT pro, but I was writing in Fortran in 1968.

    Today, I was installing a autodial temp alarm in a server room, and asked the supervisor what he would do in this circumstance. He said I should just blow off the time spent and go for the reformat, which is the same thing my local geek at Best Buy had told me on Sunday.

    Now, the BB guy said I could just call Dell and get a disc for the machine for $25. Somehow, the price has doubled, so it may be back to ebay to get a disc at a more reasonable price for a six year old machine. I gave all my info twice, to two different people, and then I was supposed to be forwarded to tech support, and the system told me they couldn’t connect me and it dropped my call. Oh, the callback number I gave them? No call. Very nice. More American jobs gone overseas.

    Of course, my Mac friends are having a good time at my expense. Yeah, I know, this never happens with a Mac. Yadda, yadda.

    I found Majorgeeks in one of my Google searches, and the thread was the Malware thread. I read and performed all of the steps, except Combofix would not download. I also ran hyjackthis to see what was running. I found nothing that seemed out of the ordinary. I didn’t post logs in the forum because I was without the combofix log, and I realize some folks can have a bit of an attitude when you don’t follow all their steps to the letter.

    The bottom line: if your machine was doing this, would your time be best spent taking some further action that I have not described (or found in my searches) or would you just back up everything, get the CD, and reformat the drive?

    Because of aps on the drive (like Office, for which I don’t have the discs) I’d really like to avoid having to wipe and reinstall, and have to pay even more money for the Office discs, so I don’t lose my email files. It’s a shame that Open Office has not come out with an Outlook-compatible product.

    So, gurus of MajorGeeks, how can I fix this? All helpful advice is welcome.

    Others in the original thread asked some questions. Here are my posts giving addition or redundant info:

    So, as you see from the first part of the post, Combofix failed to download. I can post other results, if you like, including Hyjackthis.
     
    timebuilder, Mar 23, 2010
    #1
  2. timebuilder

    timebuilder Private E-2

    Good news.

    I was finally able to download and run Combofix.

    I am attaching my first logs.
     

    Attached Files:

    timebuilder, Mar 23, 2010
    #2
  3. timebuilder

    timebuilder Private E-2

    And more logs...
     

    Attached Files:

    timebuilder, Mar 23, 2010
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    No. :) We don't take any negative attitude when someone cannot run one of the tools, we either tell them to skip the step and move onto the next, and then if necessary we can later work around the problem.

    Malware can block tools used to fight it. It is stated clearly in our R&R to move onto the next step if something does not work. We all have alot of patience here and are nice natured, so rest assured nobody will have an attitude problem.

    1. Please go to Add/Remove programs and uninstall the following software:

    • Viewpoint Media Player <---- as requested per the R&R.

    2. Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

DirLook::
C:\Documents and Settings\Art Houston\Local Settings\Application Data\{C2FC313B-5967-4265-8B4C-572F1129DC8E}

File::
c:\windows\Bzehube.dat
c:\windows\Xhetofevi.bin

Folder::
c:\documents and settings\Art Houston\Local Settings\Application Data\ndwncj

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\NoExplorer]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    3. Also delete all files in the below bold folders except ones from the current date (Windows will not let you delete the files from the current day).
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know please now how things are running. :)
     
    Kestrel13!, Mar 23, 2010
    #4
  5. timebuilder

    timebuilder Private E-2

    Did you note that I ran Combofix and posted the log, or did I do something wrong?
     
    timebuilder, Mar 23, 2010
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    :confused:confused Of course I saw you ran combofix. :) That is why I gave you a script to run. You should do this and also follow any other steps that I outlined.

    Why would I think you did something wrong?
     
    Kestrel13!, Mar 23, 2010
    #6
  7. timebuilder

    timebuilder Private E-2

    Probably because I'm following a direction without any understanding of the approach.

    I attempted to delete the two files you mentioned, and in each case, one file in that folder could not be deleted, saying that it was in use, with a leading tilde (~).

    I am attaching the combofix log file after running it the way you described, with a drag and drop code in a text file.

    I had trouble loading this page from the favorites menu, just as I have been.

    .
     

    Attached Files:

    timebuilder, Mar 24, 2010
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    All instructions are clear and concise. :) You should be able to follow them without too much difficulty.

    Not to worry.
    Yes, but you missed a step, after running the CF script I wanted you to do the below also:

    Then try accessing by not using favourites ;)


    Please attach the other requested zipped file and then I can see if the fix was successful, which I believe it was.
     
    Kestrel13!, Mar 24, 2010
    #8
  9. timebuilder

    timebuilder Private E-2

    I just ran the file you specified, and I am attaching the zip.
     

    Attached Files:

    timebuilder, Mar 24, 2010
    #9
  10. timebuilder

    timebuilder Private E-2

    The problem I am having sounds very much like the one in this thread:

    http://forums.majorgeeks.com/showthread.php?p=1465871#poststop

     
    timebuilder, Mar 24, 2010
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Your logs are clean. You can troubleshoot out any outstanding issues in the software forum. :)

    Use windows explorer to locate and delete the below bold folders:


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Mar 24, 2010
    #11
  12. timebuilder

    timebuilder Private E-2

    Okay.

    After I ran the scans, my impression of the problem was that it still lingered. So, I followed the advice in the previous post and cleaned up the various tools, deleting where required, and then I followed the link about recommendations. On that page, there was mention of AVG being a "bloated" program that slows machines down markedly. Since I was already a PC Tools user (Registry Mechanic) I opted for uninstalling AVG and switching to the free antivirus PC Tools product.

    Now, I can't say if it was the various tools I used to clean and scan my machine, or the deletion of AVG, or the cumulative effect of all of these actions, but after switching to the new AV program, tThe page loads are MUCH faster, and I have yet to need a refresh or an extra click.

    So, although this was a somewhat frustrating process, in the end, I have to say it was worth the time and trouble of all the reading, loading scanning, cleaning, deleting and posting.

    Thank you!!!
     
    timebuilder, Mar 25, 2010
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're very welocome. :) I am glad to hear that the machine is running more smoothly for you!
     
    Kestrel13!, Mar 25, 2010
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds